2014 Micro Blacklist

[ 2014 Micro Blacklist ] Over the past several months, I’ve assembled a “micro” blacklist to keep some recent threats at bay. Eventually, this will be integrated into the next nG Blacklist, but for now I just wanted to post and share with anyone else who is actively monitoring their server logs and aware of the recent spike in malicious activity.

The 2014 Micro Blacklist blocks some particularly persistent user agents and hosts, as well as a handful of resource-wasting IP addresses that just won’t stop scanning and sniffing around where they don’t belong. Lastly, there a couple of lines for blocking some relentless 404 requests.

2014 Micro Blacklist

To implement this blacklist, just copy/paste into the root .htaccess file of your website. If the .htaccess file doesn’t exist, check that you’re on an Apache server (and that .htaccess is enabled), and then go ahead and create one. Check out my .htaccess book if you need help with anything .htaccess related, and/or to learn WAY more about securing your site.

# 2014 Micro Blacklist
<IfModule mod_setenvif.c>
	Order Allow,Deny
	Allow from all
	Deny from 123.151.39.
	Deny from 77.172.210.
	Deny from 174.94.131.
	Deny from 89.238.137.59
	Deny from 212.90.148.101
	Deny from 91.207.61.129
	Deny from 202.46.52.120
	Deny from 128.73.60.194
	Deny from 68.108.17.141
	Deny from 27.54.93.178
	Deny from 194.9.94.213
	Deny from 122.166.169.127
	Deny from 96.9.163.49
	Deny from 54.229.73.40
	Deny from 203.109.158.201
	Deny from 46.105.113.8
	Deny from 183.60.244.
	Deny from 54.232.102.193
	Deny from 195.157.124.186
	Deny from 118.39.113.219
	Deny from 27.255.56.87
	Deny from 69.161.138.1
	Deny from 192.96.204.42
	Deny from 178.63.52.200
	Deny from 27.252.92.103
	Deny from 37.59.65.58
	Deny from 186.202.126.94
	Deny from 186.213.72.146
	Deny from 186.219.44.6
</IfModule>
<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_HOST} (.*)\.crimea\.com [NC,OR]
	RewriteCond %{HTTP_HOST} s368\.loopia\.se [NC,OR]
	RewriteCond %{HTTP_HOST} kanagawa\.ocn [NC,OR]
	RewriteCond %{HTTP_HOST} g00g1e [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (ia_archiver|g00g1e|seekerspider|siclab|spam|sqlmap) [NC]
	RewriteRule .* - [F,L]
</IfModule>
<IfModule mod_alias.c>
	RedirectMatch 403 router\.php
	RedirectMatch 403 /\)\.html\(
</IfModule>
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC]
	RewriteRule .* - [F,L]
</IfModule>

Notes: ia_archiver was a tough call — they do some legit stuff, but lots of illicit/malicious requests are made claiming that UA or some derivitive thereof.. so it’s your call on that, feel free to remove it if the wayback machine is important to you or whatever.

About the IPs, normally I don’t bother blocking individual IPs because they are frequently spoofed and/or changing constantly. When it looks like an IP is directly tied to the perpetrator, blocking by IP can be an effective remedy for the endless scanning and malicious HTTP requests that ail you.

Update: Added to the list protection against the humans.txt scanning script for good measure.

Lastly, this “micro” blacklist serves as a good starting point for building up your own mini-firewall that’s tuned to your particular server and traffic profile.

Have fun and keep those sites secure people.